This is the White Rhino Security blog, an IT technical blog about configs and topics related to the Network and Security Engineer working with Cisco, Brocade, Check Point, and Palo Alto and Sonicwall. I hope this blog serves you well. -- May The Lord bless you and keep you. May He shine His face upon you, and bring you peace.

Thursday, June 26, 2014

Well, I have seen a new low in the IT services business here recently. The company I work for hosts a phone system for a particular company in town. We only do voice for them, nothing else. A competing services company does the data for them. Voice for us, data for them. Not too unusual of a setup.
But, this client has had their fax machines down for the last 48 hours. The Telco provider called me (its a small world) and told me about it and asked if we had made any changes to our equipment (since he knew our setup, etc). Of course, I said no, since I had not been out there any time recently. But I said I would go out and check anyway, just to verify all looked ok.
When I arrived, I found out that the competitor had told the client that they needed a battery backup and that the "router" was bad. Hmmm. That "router" belongs to my company, how would they know that, since they have no login and no one has reported any problems?
Well, sure enough, NOW there was a problem. The client could no longer get any fax calls in or out. So, there was no problem before they showed up. Now that they are onsite, there is a problem (a voice problem, I might add). They claim (before anyone knew there was a fax problem) that the router is bad. This just gets more interesting.
So when I get up there to troubleshoot, I find an alarm light on the PRI module. I can loop back the carrier equipment with no problem. I get a CD green light when I do. I can loop back my router with no problem, as I get the CD green light as well. Hmmm. What do you know, there is a regular cat 5 patch cable connecting my T1/PRI module in my cisco router to the carrier Adtran router. Well, those things just dont jump up there by themselves.
So if you arent aware, it takes a T1 crossover cable instead of a regular cat 5 patch cable to connect the Cisco and Adtran together on the voice side. The competitor knew this for sure, as I have found out that the competitor has quoted a hosted voice solution to this client recently. So, some questions:
1. Do I think they competitor replaced the good T1 crossover cable with the patch cable? YES.
2. Do I think they were doing it to make my company look bad, to sway the client to use their hosted voice services? YES.
3. Am I upset about it? Not really. I told the customer what happened. They were, of course, shocked at such a thing, as I am as well.

Am I a fan of such tactics? No. Dishonesty never gets you far. And even if it gets you immediate rewards, you will still loose in the end.

Monday, June 23, 2014

Peter Banda has been kind enough to share more on setting up vitual IPpbx systems in his latest guest post here on Network Fun!!! Thank you Peter. ~~Shane Killen

Setting up virtual ippbx systems - By Peter Banda

Unlike traditional phone systems, voice
over internet protocol (VoIP) can use existing computer network cabling,
eliminating the need to have a separate network for voice communications. In
this guide I will show how to setup VoIP phone systems using axon virtual ippbx
for the server and aastra 6731i for the client. Axon by NCH only releases commercial
versions but you can download 3cx that has a free version with a limitation of
about four simultaneous calls or even free linux based virtual ippbx
distributions. 3cx or Axon can be downloaded from their official websites.

When axon ippbx has been downloaded, run
the exe file and you will be presented with a license agreement window. Read it
, click the ‘ I accept the license terms’ radio button and click next. The next
window may come with options to install additional programs (depending on which
version you downloaded), but ours is only a basic installation, so we are not
going to install any additional programs. Leave all options unchecked, but if
you don’t have a physical VoIP phone, you may check the express talk softphone.
Voip softphones work as well as the hardware based phones. On this windows click finish.

Now its time to make configurations, on
the number of extensions, enter the total number of extensions you think you
can use. In axon you may increase the number of extensions later, but other
phone systems does not allow adding extensions after setting up. That is why
you have to at least enter a number that has some extensions reserved for
future use. Compose and enter an administrator password to use anytime you want
to manage the server. Default username for the server administrator is Admin,
you might want to change it. Below that there is an option to configure email
for notifications, I will leave that one for now, click next. From here axon
attempts to open incoming ports for SIP and RTP to allow calls from the
internet. If your setup is for internal use only, ignore this. But if there is
need to make and receive calls to and
fro the internet then you need to make sure that UDP port 5060, 5070, 8000,
80002, 8004, 8006 ... 8020 are open on your firewall. In this post I will stick
with the internal use and reserve external dialling for future post.

Axon automatically searches for firewall
or routers on networks, if they are detected between your network and the
internet, it will ask you to put some settings for audio routing. Then there is
a windows for additional information, click ‘No thanks’. Check open axon’s web
control on the next window then click finish. Axon voip server now starts,
enter your user name and password to login. If it doesn’t start, double-click
on the axon server icon then click on web control to login.

In the axon control panel, click on
extensions and groups because we will have to setup two SIP accounts for two
aastra phones to insure that the server is working. Select extension 101 and
click edit (an icon with a the pencil and paper), leave the extension number as
it is. Edit the display name, type ‘test phone 101’ without quotes. Type
voiptest101 in the password field. This is for testing only, when making final
configurations, choose meaningful display names and strong passwords. Repeat this for the next extension number 102.

Power up the two aastra phones and
connect them to your network. I will assume that the phones have no any
settings on them or are reset to their factory default settings. If you have a
dhcp server on the network, the phones should be able to get dynamic ip
address. If there is no dhcp server then
you have to give them static ip addresses. To check if they received ip
addresses, press the settings/options button on the phone. The button has a
spanner symbol on it. Navigate down to ‘phone status’ the ‘ip and mac addresses.
Press right arrow to see the ip address. Open a web browser on a computer that
is connected to the same network, type the phone ip address on address bar of
the browser to access its webUI. Enter admin and 22222 for user name and password.
To give the phones static ip addresses, press options button, navigate to admin
menu and enter 22222 as password. (22222 is the default aastra 6731i password).
Go to network settings, dhcp settings, change it to OFF, press right arrow then
you will be prompted to restart the phone. After restart go back to network
settings, this time proceed to ip address, type the ip address and subnet mask.
Restart the phone if you are prompted. Open a web-browser on your computer and
enter the phone’s ip address.

Since we already have two extensions on
the server, we have to give the phones the extensions, one extension per phone.
After entering admin user name and password on the phone’s webUI, click Line 1,

1.Screen name test
phone 101 (and 102 on the other phone)

2.Phone number 101

3.Caller id 101
(can be an extension or name)

4.Auth name 101

5.Password voiptest101

6.BLA -

7.Line mode generic

Auth name and password should be the
same as that on the server, otherwise the phones won’t work.

Go to basic SIP settings,

1.Proxy server type
the FQDN or ip address of the server where axon is installed

2.Proxy port 5060

3.Registrar server type
the FQDN or ip address of the server where axon is installed

Sunday, June 22, 2014

I get a daily bible reading via email every day. To me, I just find it helpful in a fast paced world sometimes. This below reminded me of Vulcan in Birmingham. Isaiah 44:9-20.

9 All who make idols are nothing,and the things they treasure are worthless.Those who would speak up for them are blind;they are ignorant, to their own shame.10 Who shapes a god and casts an idol,which can profit nothing?11 People who do that will be put to shame;such craftsmen are only human beings.Let them all come together and take their stand;they will be brought down to terror and shame.

12 The blacksmith takes a tooland works with it in the coals;he shapes an idol with hammers,he forges it with the might of his arm.He gets hungry and loses his strength;he drinks no water and grows faint.13 The carpenter measures with a lineand makes an outline with a marker;he roughs it out with chiselsand marks it with compasses.He shapes it in human form,human form in all its glory,that it may dwell in a shrine.14 He cut down cedars,or perhaps took a cypress or oak.He let it grow among the trees of the forest,or planted a pine, and the rain made it grow.15 It is used as fuel for burning;some of it he takes and warms himself,he kindles a fire and bakes bread.But he also fashions a god and worships it;he makes an idol and bows down to it.16 Half of the wood he burns in the fire;over it he prepares his meal,he roasts his meat and eats his fill.He also warms himself and says,“Ah! I am warm; I see the fire.”17 From the rest he makes a god, his idol;he bows down to it and worships.He prays to it and says,“Save me! You are my god!”18 They know nothing, they understand nothing;their eyes are plastered over so they cannot see,and their minds closed so they cannot understand.19 No one stops to think,no one has the knowledge or understanding to say,“Half of it I used for fuel;I even baked bread over its coals,I roasted meat and I ate.Shall I make a detestable thing from what is left?Shall I bow down to a block of wood?”20 Such a person feeds on ashes; a deluded heart misleads him;he cannot save himself, or say,“Is not this thing in my right hand a lie?”i

Friday, June 20, 2014

One of my customers and I did an upgrade of two Check Point 4800 enforcement modules in HA. We debated between a fresh install and an upgrade. We went for the fresh install. So with isomorphic, a Gaia R77.10 image and a thumb drive, we got the two 4800s upgraded without issue. One thing I do not care for is the wording of one screen in particular. Close to the end of the install, it gives you the impression that the install failed and that its reverting back to the original image that came on the box. However, it does actually complete the install without issue. It says "reverting image". No worries. I just dont like the wording.

I guess I just would like to see it say something like "installing image", or something a little less worrying.
The two 4800s enforcement modules we upgraded:

Thursday, June 19, 2014

This still gets me on occasion. On these older Catalyst Cisco switches, like the 2900 and the 3550, you still have to create the vlan in the vlan database before passing data will work ON THAT VLAN. I ran into this recently again. Gets me a lot.

Wednesday, June 18, 2014

With the last post of how to do a "migrate import", one problem I did have was this error message below. I found I had to import the pointer files, etc to fix my problem of not being able to open the log files, since my customer did want the log files included in the import. No worries, step 3 and 4 resolved my issue. Below is the SK that we referred to when I couldnt open the log files in Tracker.SK35401:SmartView Tracker does not display any logs and a popup appears "Failed to open file fw.log"

SYMPTOMS

SmartView Tracker does not display any logs and a popup appears "Failed to open file fw.log"

SmartView Tracker does not display logs correctly.

CAUSE

Possible reasons:

Some temporary issues with SmartView Tracker daemon (cplmd).

Some of the log pointers are missing or corrupted.

SOLUTION

Follow these steps:

Restart Check Point services on the machine to which you connect with SmartView Tracker (Management Server / Log Server):

Tuesday, June 17, 2014

Ive written about the 'migrate export" (upgrade export) command, but I dont recall doing a "migrate import". Below, I show you how I did an import from a SPLAT platform to an open server platform. I just needed to verify the data was good from the export.

Sunday, June 15, 2014

Jesus said this in John 14:15 - 15 “If you love me, keep my commands.So, what are some of the things He said for us to do:Matthew 22:37 -37 Jesus replied: “‘Love the Lord your God with all your heart and with all your soul and with all your mind.’Matthew 22:39 - 39 And the second is like it: ‘Love your neighbor as yourself.’There are a few other commands, like the 10 commandments, since Jesus is God in the flesh. I guess we have to read the Word to find out what His commandments really are. So I find this interesting:John 14:24 -24 Anyone who does not love me will not obey my teaching. These words you hear are not my own; they belong to the Father who sent me. Go back and read John 14:15 again: 15 “If you love me, keep my commands.So I can only conclude that if we do not obey His teaching, that we do not really love Him, based on John 14:24. I would ask you what you think about this, but in reality, it doesnt matter what you or I think. It matters what He said. I think I need to go back and make sure I know what His commands were. It might be important.

Saturday, June 14, 2014

I've been thinking that maybe I should do a "IT picture of the week" on Saturdays. I don't know if it will work out, but I'll start today just for fun. It may be for my entertainment only, but I hope you enjoy as well.

Friday, June 13, 2014

In FTP'ing a large file into a management station, I ran into getting logged out a few times. I realized I had to set the time value to something higher. So I did just that. Oh yeah, it doesnt appear that you can do this in expert mode either:
I get logged out:
[CP]#

Monday, June 9, 2014

I and another engineer I work with named Antonio went out this weekend to troubleshoot a problem that has a real problem for some time. The customer has several racks full of servers with dual FastIrons with 10G uplinks back to the dual core of SuperXs. Its a nice setup. However, one switch in particular has not had redundant links due to "the problem" that is caused when the second link is in place. The report given to us is that the network is brought to its knees. (Sounds like a loop, right?) Here is the topology:

The problem: top of rack switch showed incremental input errors by the thousands per second, which flooded the link (due to input errors on the top of rack switch), caused a 99% spike in CPU utilization on the core switches only, and brought the network to its knees from a performance perspective.

The solution: Antonio found "dual-mode 1" configured on the 7/1 interface on the SuperX, which is used to untag vlan 1 traffic across the uplink to the top of rack switch. The top of rack switch did not have that configuration on its side (Brocade to Brocade does not need that config). This should have caused a "network outage" to that link. Meaning, that it should not have passed any traffic at all across the link since it was configured on one side and not the other. However, we found that this caused input errors to increment across that link by the thousands per second across the uplink, causing the CPU to spike on the core switches to 99% utilization. Once we took the "dual-mode 1" command off of the interface, we no longer experienced the CPU spike. This is a not normal expectation for a config issue of this sort.
We believe that the core switches have a software bug that has caused this problem pertaining to the "dual-mode 1" configuration when the upstream switch is not configured for "dual-mode 1". We believe this because when we reverse this issue, meaning on the top of rack switch we configure the "dual-mode 1" command and have the core switches configured to NOT have the "dual-mode 1" command, we do not see any spike in CPU utilization on either side, and we can not get any traffic across the link, as would be expected. As proof, we were able to ping 4.2.2.2 when configured correctly, and not able to ping 4.2.2.2 when not configured correctly on the top of rack side. With this said, we do believe that the core switches have a software bug that we are not able to resolve without upgrading the firmware to a later version.

With that said, the current version of the core switches is version SXL05100c. We tried to upgrade this to version SXR07202k, but we were unsuccessful with the following error:
=============================================================================
BR-DC_CORE_1#copy tftp flash 172.24.0.20 SXR07202k.bin primary
BR-DC_CORE_1#Router Code requires correct license PROM to be installed in the systemThe code sub type 3 is not correct for the target hardware, abort!File Type Check Failed

With this said, we will need to get with Brocade to find out what version we can go to without this message or obtain the license necessary.

Things we have verified that IS in good shape:
1. Fiber patch cable on both sides of the link, meaning on the core side and the top of rack side.
2. GBICs on both sides of the link.
3. GBIC modules in the core switches.
4. Fiber cabling from top of rack switch to Core switch.

Sunday, June 8, 2014

I have read of several places in the Old Testament where Jesus appears on the scene. First in creation with God, when God said: 1:26Then God said, “Let us make mankind in our image, in our likeness, so that they may rule over the fish in the sea and the birds in the sky, over the livestock and all the wild animals, and over all the creatures that move along the ground.”Also in the furnace with Shadrach, Meshach, and Abednego. Who was that forth person? Daniel 3:24-26: 24 Then King Nebuchadnezzar leaped to his feet in amazement and asked his advisers, “Weren’t there three men that we tied up and threw into the fire?”

They replied, “Certainly, Your Majesty.”

25 He said, “Look! I see four men walking around in the fire, unbound and unharmed, and the fourth looks like a son of the gods.”

And how about that guy Joshua spoke with at Jericho? Joshua bows down to him. I dont think it could be an angel, since angels dont allow people to bow down to them (since they didnt let John bow to them in Revelation).Joshua 5:13-15: 13 Now when Joshua was near Jericho, he looked up and saw a manstanding in front of him with a drawn swordin his hand. Joshua went up to him and asked, “Are you for us or for our enemies?”

14 “Neither,” he replied, “but as commander of the army of the Lord I have now come.” Then Joshua fell facedown to the ground in reverence, and asked him, “What message does my Lord have for his servant?”

15 The commander of the Lord’s army replied, “Take off your sandals, for the place where you are standing is holy.” And Joshua did so.

What about Abraham? Didnt he see Jesus? Genesis 15:1-5 The Lord appeared to Abraham near the great trees of Mamre while he was sitting at the entrance to his tent in the heat of the day.2 Abraham looked up and saw three menstanding nearby. When he saw them, he hurried from the entrance of his tent to meet them and bowed low to the ground.

3 He said, “If I have found favor in your eyes, my lord,[a] do not pass your servant by.4 Let a little water be brought, and then you may all wash your feet and rest under this tree.5 Let me get you something to eat, so you can be refreshed and then go on your way—now that you have come to your servant.”

“Very well,” they answered, “do as you say.”

Again, Abraham bows down to "the Lord", which he obviously saw in verse 1.

Thursday, June 5, 2014

THE MODIFIED POST:
So, I initially wrote this post below explaining about the one thing I didnt like about the Brocade ICX6610s. You can read it below, but as it turns out, I must have had either a very old rack mount kit OR just a bad batch of kits. Not sure which. But, I installed some ICX6610s today that DID have that hole explained below. Very odd. Here is the picture I took to prove they actually do have the holes.

THE ORIGINAL POST:
I really like the Brocade 6610s. I just don't have problems out of them at all. However, of the many things I like about this switch, I finally found one thing I dont like. This past weekend, I ran into a rack that was bolted down to the ground. We didnt want to take the time to move the rack and bolt it down again, but we did need to get the ICX6610s in the rack. So, the natural thing to do would be to slide the rack mounts back to the next available holes so you that the switch sticks out a little further out the front, to make room in the back of the rack. Well, I found out that you cant really do this without it sticking out really far. I mean about half way out the front. To me, that it too much. But, there was simply no other choice. I tried to look this up and see if I was just missing something. There is a diagram of one rack mount that has holes where it would mount the way I wanted it to. However, the rack mounts that came with the unit didnt have the holes I circled below. So, it sticks out halfway now. Not pretty to me, but I guess it works.

Tuesday, June 3, 2014

I have a medium sized project where me and another engineer I work with are going to be putting in a whole new network. Oh, guess what it is. Thats right, Brocade gear. First thing to do: upgrade firmware to FCXR07300j.bin for the ICX6610 24Fs and ICX64S07400f.bin for the ICX6450s. I'm still not ready for the 8.X code just yet. Below the picture, I have the upgrade process if you would like to know how to do an upgrade. Its the same for both the 6610 and 6450s. Don't forget to upgrade the boot image.
You see all the Brocade gear for this project. I'm pointing out to the other engineer on this project what I've have upgraded (marked with an X on the box). Still a few to go.

Monday, June 2, 2014

This was another weekend of replacing hardware. My truck has the Cisco gear loaded up for retirement, only to be replaced by Brocade gear. 6610s as the core and 6450s for access. Saves rack space and money and provides a really nice performing network.

Sunday, June 1, 2014

Commercials are really just in bad taste these days. Marketers seem to be going for the shock more than actually producing a quality commercial. I can think of three right now that drives sex as the theme instead of their product. Actually, four. I just thought of a fast food restaurant that did the same.I can tell you, I will not buy these products just because of their commercials. I guess if the ones creating these commercials can not think of anything good to actually say about their product, they have to come up with sinful behavior to get your attention. Really pathetic!

Philippians 4:8 - Finally, brothers and sisters, whatever is true, whatever is noble, whatever is right, whatever is pure, whatever is lovely, whatever is admirable--if anything is excellent or praiseworthy--think about such things.